This invention relates generally to computer virus detection, and more particularly to virus scanning.
A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the software and data as described below and in the drawings hereto: Copyright (copyright) 1997, Network Associates, Inc., All Rights Reserved.
Anti-virus (AV) programs are, by design, fairly intrusive applications. They must sit between a userxe2x80x94or the user""s applicationsxe2x80x94and the computer""s file system, to ensure that infected files are not written to the file system. If infected files already reside on the file system, the AV program must ensure that they are not executed or copied to other computers.
AV programs scan computer files for known viruses in a number of ways, such as by comparing each file to a list of xe2x80x9cvirus signaturesxe2x80x9d that are stored in xe2x80x9cvirus signature filesxe2x80x9d or by emulating computer instructions contained within the file to evaluate the effect of the instructions. The scanning can be done upon request of a user, when the file is accessed on a mass storage device such as by an application, or on a scheduled basis. Virus scanning is, therefore, a resource intensive (CPU and disk I/O) and time-consuming task, especially in the case of access scanning. Oftentimes, a user""s file-open request must be delayed until the file can be scanned and possibly cleaned. This resource consumption can lead to a degradation of a computer""s overall performance and slower response times for users.
Various techniques are currently used to reduce the amount of time and computer resources required by AV scanning. The techniques share the concept of saving a set of parameters, an AV xe2x80x9cstate,xe2x80x9d for the file as of the last scan so that once a file has been scanned and found free of infection, it should not need to be scanned again unless the file is modified. The parameters chosen for the AV state are indicative of virus infection if changed, such as the file""s length, checksum, and date of last file write operation.
One common technique is to create an in memory cache containing the AV state for files that have been scanned during the current execution of the AV program. The cache can be checked whenever a file is accessed or when a scheduled scan is due. If the file""s AV state is in the cache, the AV state parameters for the file in the scan information cache are checked against the current parameters of the file. If the parameters match, a virus scan is not necessary. If the parameters do not match, or if the AV state for the file is not cached, then the file is scanned. The drawback to this approach is that such caches are limited to a reasonable memory size and cannot efficiently track all the files (potentially millions) that may reside on a file server, or even the smaller number that reside on individual stand-alone personal computers. Because the cache is volatile, the AV state for only the most recently used files will be present in the cache. The volatility of the cache also means that the cache is lost when the current execution of the AV program is terminated and thus must be recreated when the AV program is restarted, causing delays for the users as the requested files are re-scanned and the cache re-populated.
Another approach stores the AV state (often just a checksum) in an external database that is then compared against the current values of the AV state parameters when the file is accessed. This technique is only effective if the AV state information is thoroughly secure against unauthorized changes. The user or administrator also faces the challenges inherent in maintaining the external database. Additionally, the database technique requires that the AV state is accessed separately from the file itself, thus incurring system overhead. The total processing cost of generating the AV state, storing it in the external database and retrieving it when needed can exceed the cost of scanning the file.
An alternate technique that is similar to the external database approach addresses the cost of accessing the AV state separately from the file itself by appending the AV state (again frequently just a checksum) to the end of the file. However, this scheme is less secure than the others in that a sophisticated virus can overwrite the checksum with the value for the infected file. Additionally, since the AV program modifies the file, errors in the program may cause loss of user data. Moreover, the addition of information to a file can cause various system utilities to assume the file is bad, causing the original version of the file to be reloaded, or it may be viewed as virus-like behavior, triggering a false alarm. This technique is also disfavored by users and systems administrators who are reluctant to give a third-party the right to modify their files.
Therefore, the current techniques used by AV programs provide only limited savings of user time and system resources when scanning files, while often introducing other risks and complications as a result.
The above-mentioned shortcomings, disadvantages and problems are addressed by the present invention, which will be understood by reading and studying the following specification.
Anti-virus software creates a session key for each execution of the software. It obtains a session stamp that is associated with a directory entry for a file that is to be scanned. If the session stamp was created using a session key for a previous session, or if there is no session stamp, the file is scanned for viruses. An existing session stamp is updated as a result of the scan. In one aspect, the existing session stamp is updated by being invalidated if the file is infected. In another aspect, the existing session stamp is updated by identifying the file as infected.
The current session key is used when updating a session stamp or when a new session stamp is created. In one aspect, the session stamp contains a signature that is alternately a session key or known value encrypted with a session key.
Because the session stamp is associated with the file""s directory entry, the file system automatically reads the session stamp into memory, if the entry is not already cached, thus reducing the number of file accesses necessary to determine the AV state of the file. Because directory entries are stored so they can be rapidly accessed, associating the session stamp with the entry also decreases the overall time a user must wait for the file to become available. Additionally, when the file is renamed or moved without changes to the file itself, the session stamp remains with the directory entry so that the file does not have to be rescanned.
The present invention describes systems, clients, servers, methods, and computer-readable media of varying scope. In addition to the aspects and advantages of the present invention described in this summary, further aspects and advantages of the invention will become apparent by reference to the drawings and by reading the detailed description that follows.